infoTECH Feature

October 30, 2014

Security in the Cloud: How Hackers Are Going to Get Your Encryption Keys

By TMCnet Special Guest
Gilad Parann-Nissany, CEO and Founder, Porticor

It has been well-studied, documented, and reported that our greatest concern with regard to acceptance of and migration to cloud computing is security. In 2014’s “The Future of Cloud Computing” Survey, 49 percent of respondents cited security as an inhibitor to cloud adoption.  And, trailing not far behind on the scale of inhibitors are privacy and regulatory compliance, with over 30 percent each.

Nonetheless, the cloud is an integral and strategic innovation that fuels new business and provides competitive advantage. In contrast to the inhibitors, the drivers for cloud adoption include agility, cost-effectiveness, scalability, and shifting CapEx to OpEx. Goldman Sachs reports that 27 percent of those moving workloads to the cloud are motivated to do so because it will help them lower capital expenditures.

And so, IT leaders are left with a conundrum: shun the cloud because of concerns around security, privacy, and compliance, or accept the cloud as the next frontier and take the proper precautions when stepping into the future.

Cloud Security Precautions to Consider

To combat the security, privacy, and compliance concerns, best practices include secured infrastructure (firewalls, etc.), employee training, and encrypting data. Cloud encryption protects sensitive data in case there is a breach. With proper encryption, even if the cloud is breached, data is rendered unreadable and unusable.

Unless, of course, hackers can get the encryption keys; with the keys in their possession, they can easily access even the encrypted data.

To stay a step ahead of hackers is to think like a hacker. How will hackers get your encryption keys?

A Hacker’s List of Security Holes 

  1. Keys stored alongside data: When encryption keys are stored in the cloud alongside the protected, encrypted data, accessing them is easy. The same security vulnerability that was penetrated to access the data can be used to get the keys. Once a hacker has both the encrypted data and the encrypted key offline, he can easily decrypt data and use it or sell it as he wishes.
  2. Keys managed by cloud providers: In the event that encryption keys are managed by cloud providers, the risks are different.
    • There have been very public and serious legal wrangles in which cloud providers were required by law to hand over encryption keys. Obviously they can do so only if they own them.
    • In terms of compliance best practice, keys managed by cloud providers mean that – at the end of the day – the cloud provider owns your data and not really you!
    • There are also concerns on various “insider attacks” – think of Snowden morphed into a cloud provider employee.
    • One risk has been recently highlighted when Amazon (commendably) rolled out a security fix to much of their XEN infrastructure – the risk is that a “zero day” vulnerability at the cloud provider, impacts all cloud customers at once. Such a mass vulnerability is very attractive to hackers if and when they find it.
  3. Hardware Security Modules: While some companies opt for hardware-based solutions like HSMs for managing their encryption keys, these solutions are not ideal for cloud scenarios. As a company that values the economics and scalability of the cloud, using hardware to solve security concerns is counter-intuitive. HSMs in a cloud scenario also raise some security questions. As soon as an encryption key leaves the secure hardware (to encrypt an object in the cloud), it is no longer secured by the HSM. Securing key caches in the cloud becomes essential to avoid points of attack that may be vulnerable to a hacker.
  4. Virtual Key Managers: Virtual versions of HSMs may actually be a point of attack, as they place your encryption keys in the cloud next to your data. Also, these virtual key management solutions are compliant and certified only for their hardware offering – the virtual part is not compliant and not sufficiently secure.

Achieving Compliance, Privacy, and Security in the Cloud

Hackers have ways of penetrating security perimeters. They can easily access encryption keys stored in the cloud and use them to decrypt sensitive data. This avails your company to breaches, bad PR, and financial as well as bureaucratic responsibilities (just ask former Target (News - Alert) CIO, Beth Jacobs). Hackers can also infiltrate employees of cloud providers (or of the company they are targeting) who have access to the encryption keys stored there. Earlier this year, Coke reported a data breach where a former worker stole several company laptops that locally stored employee information, such as social security and driver’s license numbers.

Some companies take security to the highest level by splitting their encryption key into two parts: one kept with them at all times. Since both parts are needed to decrypt data, compromising these companies is an impossible mission. Furthermore, they often also protect their keys with homomorphic key management, which encrypts the key itself while it is in use. Due to this, their keys become inaccessible – hackers cannot get them while they are in use nor while they are stored. When coming across companies that use these precautions, it is best to move on to easier targets.

To truly achieve the required compliance, privacy, and security in the cloud, the bottom line is that all data must be properly encrypted and encryption keys can never be trusted to anyone. By owning the keys, you own the data. The best practice of benefitting from the cloud while maintaining ownership of encryption keys is through software-defined innovations like split-key encryption and homomorphic key management

Edited by Maurice Nagle

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers